Hi Amos and others. Its not a "samba" thing or a squid thing. Maybe in the end yes, but this is a configuration thing.
For you guys to know, samba AD DC setup this parameter as default : ldap server require strong auth = yes Which obligates the use of TLS. Next, users dont configure /etc/ldap/ldap.conf when they use TLS. Squid and samba may need the CA root if you use TLS. Which should to in ldap.conf TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT allow Samba sets these days: ntlm auth = no Laman auth = no Which disables NTLMv1 and last, users dont know kerberos and the need of A/PTR records. For others, i've posted a example auth setup and smb.conf setup for squid on Debian Jessie. Tested as of squid 3.4.8 upto 3.5.24. ( with and without ssl bumping ) Google for : Problems with Samba 4.6.3 Authentication Post date 23-may 2017 When upgrading samba/winbind as of 4.2 upto 4.5 or 4.6. You MUST read the change logs at least for every samba 4.X.0 version. \ At least 4.2.0 4.3.0 4.4.0 4.5.0 and 4.6.0 https://www.samba.org/samba/history/ Look a the smb.conf changes. Like this one for 4.5 : smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- kccsrv:samba_kcc Changed default yes ntlm auth Changed default no only user Removed password hash gpg key ids New shadow:snapprefix New shadow:delimiter New _GMT smb2 leases Changed default yes username Removed Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users > [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Amos Jeffries > Verzonden: maandag 22 mei 2017 22:46 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] Problem with Squid3 Authentication > > On 23/05/17 02:15, Marcio Demetrio Bacci wrote: > > I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but > now my Squid > > authentication doesn't work. > > > > In samba 4.2.1 is working properly. > > > > This is my authentication block: > > > > > > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b > > DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br > > -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f > "sAMAccountName=%s" > > auth_param basic children 50 > > auth_param basic realm Access Monitored auth_param basic > > credentialsttl 8 hours auth_param basic casesensitive off > > > > I'm using Squid 3.4.8 > > > > Can anybody help me ? > > If the only thing that changed was Samba its clearly an issue > with that end of the system. > > I suggest you compare those LDAP parameters with what the new > Samba version needs, and if there is no issue there please > contact your vendor or the Samba help channels. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
